]]>
2005-03-24T16:30:11Z2005-03-24T16:30:11Ztag:www.schneier.com,2005:/blog//2.166-comment:2736Comment from Phillip Hofmeister on 2005-03-24Phillip Hofmeister
Tegam is also proceeding with a civil case against Tena, in which it is asking for 900,000 euros in damages.

------------

It's too bad they will probably not be paying damages to any of their customers who were adversely affected by this problem =(.

]]>
2005-03-24T12:10:20Z2005-03-24T12:10:20Ztag:www.schneier.com,2005:/blog//2.166-comment:2734Comment from Curt Sampson on 2005-03-23Curt Sampson
Bruce, you're always talking about using legal liability as a stick to get companies to "do the right thing" when it comes to security. I wonder if there wouldn't be some way to apply this idea to this sort of situation, or any situation where companies make it harder for their users to make their system more secure.

For example, perhaps a company ought to have less liability for a security problem if they distribute source code to their users, since this gives the users themselves a means of finding (and, if given a build system, patching) security flaws. Contrawise, a company that denies their users this, forcing them to rely exclusively on the company for security fixes, might then have more liability should they not discover the problems or not fix them quickly.

This might also help the problem of liability laws versus open-source software. I've always felt that putting too much liability on the authors could badly hurt open source, since who would want to release something that could bankrupt him?

]]>
2005-03-24T04:19:50Z2005-03-24T04:19:50Ztag:www.schneier.com,2005:/blog//2.166-comment:2732Comment from wiz on 2005-03-23wiz
Everybody seems to want to stop independent investigation of "malware" as well as shut up the critics of same: "CEASE & DESIST" letters & threat of lawsuits to CastleCops, SpywareWarrior, etc. M$ not sued yet for their classification of "Spyware". Will they, w/ deep pockets, and cause of Windows LACK OF SECURITY cave in? Or, will they w/ NDA's lead the pack to prevent INDEPENDENT disclosure of flaws in OS & "default" installations?]]>
2005-03-24T00:45:14Z2005-03-24T00:45:14Ztag:www.schneier.com,2005:/blog//2.166-comment:2731Comment from Kitetoa on 2005-03-23Kitetoahttp://www.kitetoa.com/Pages/Textes/Textes/25012005-Tegam_versus_Guillermito/index.shtml
How many bytes do have to copy to counterfeit a software in France and stop being a bug hunter...?

The computer expert report, which was heavily used by the judges to condamn Guillermito, clearly indicates that he "disassembled, then reassembled some parts of Viguard software". The court condamned Guillermito for counterfeiting and publishing counterfeit data.

In my precedent post, about possible consequences of this legal precedent on bug hunting and full disclosure, I ended by a question :

�Finally, after reading this excellent comment by Maitre Eolas, we can - as computer specialists - wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ?�

Let's try to answer this question, by simply looking a little bit closer to Guillermito's analysis of Viguard software.

The computer expert report clearly mentions an "utilisation and adaptation of the source of Viguard"

Let's see how many lines of source code Guillermito used or adapted.

According to the bug hunter, not a single one. He says he never decompiled the software, and never published any source code. Neither did he published any disassembled listing.

So what did he actually publish ? A few signatures used in boot virus detection, the precise boot verification routine but without any code, a few keywords considered as dangerous that Viguard detects inside scripts, all from memory.

During the justice investigation, it seems that all the attention focused on a Proof of Concept named VGNaked.

This program takes care of database files, called certify.bvd, created in each directory by Viguard, which store some information about each programs on this directory. If you run it, you will get two new files : certify.dec which is in the same binary format except that it is now decrypted, and certify.dmp, which is a dump, a sort of human readable version of the content of the original database file. Guillermito needed to know the content of these database files to find some vulnerabilities. For example, because Viguard only stored the first 16 bytes of code in the executable section of a Windows PE file, any virus which was going to modify more than these 16 bytes couldn't possibly be repaired by Viguard. He needed to show the proof of this affirmation, hence his Proof of Concept program.

These certify.bvd database files created by Viguard are encrypted by a fixed XOR key, obviously found in the memory when Viguard is run. Guillermito got these keys from the memory and used it to decrypt these databases as said above. This knowledge, in turn, was used later to find subsequent vulnerabilities (for example, a trojan could create on the fly a tailored database file for himself and immediately become certified and so, not detected by the anti-virus).

In the assembler source of his program, "VGNaked.asm", you can see all the code. Including, close to the beginning, in the data area, the infamous XOR key (so important that actually, in the next versions of Viguard, these keys are no more used and the database files aren't encrypted anymore).

It looks like that (obviously, the exact values of bytes were changed, I would not like Tegam to accuse me of publishing anything counterfeit ;)):

Isn't that a beautiful example of counterfeiting ? Computer experts who may be reading us now know that very often their own research could now be considered as "counterfeiting" in France, and they can be sued for 80 bytes.

You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research.

You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research.

Tegam filed a complaint on june 6th 2002. Here is Guillermito's page as archived on june 1st.

]]>
2005-03-24T00:01:35Z2005-03-24T00:01:35Ztag:www.schneier.com,2005:/blog//2.166-comment:2730Comment from Guillermito on 2005-03-23Guillermitohttp://www.guillermito2.net
> This was debunked some time ago

Well, as you are talking about me, I have the written judgement right in front of my eyes, and the judge says (bad translation is mine) :

"... so Guillaume T. actually reproduced, modified, and re-assembled all or a part of V. software, and then freely distributed software based on the sources of the V. softare. So he will be declared guilty and condamned..."

To me, that sounds like a condamnation of full disclosure. If I hadn't published a proof of concept containing a handful of bytes (two XOR keys), I would never have been found guilty. If you want to see what this PoC looked like, it's here (in bold are the bytes from the software, obviously I changed the values).

It's a condamnation of full disclosure for another reason, way beyond my own personal case (I live in the US and this particular software is not sold here, and there was no demo or trial for download) : now the french CERTs, or even security mailing-lists cannot publish any proof of concept if they don't know and cannot verify whether the original bug hunter had a valid licence of the software or not.

To publish a vulnerability in France now, you have to prove that you bought the software. I don't think it's a step in the right direction for information and for raising the global security level.

]]>
2005-03-23T23:35:54Z2005-03-23T23:35:54Ztag:www.schneier.com,2005:/blog//2.166-comment:2726Comment from Kyle on 2005-03-23Kylehttp://kylem.xwell.org
This was debunked some time ago -- the ruling was that you cannot reverse engineer and disclose vulnerabilities in a product for which you have no valid license. See my blog post from almost two weeks ago at http://kylem.xwell.org/blog/archives/2005/03/10/tech/security/france-did-not-outlaw-full-disclosure/ for links to more detailed explanation (including one by a French lawyer).]]>
2005-03-23T16:56:48Z2005-03-23T16:56:48Ztag:www.schneier.com,2005:/blog//2.166-comment:2724Comment from Chris Wysopal on 2005-03-23Chris Wysopal
A company in the US, Sybase, wants to do the same thing using the clause in their EULA which forbids publication of "benchmark and performance" data which is how they classify vulnerability information.

]]>
2005-03-23T16:40:16Z2005-03-23T16:40:16Ztag:www.schneier.com,2005:/blog//2.166-comment:2723Comment from Reese on 2005-03-23Reesehttp://www.inkworkswell.com
Yes, the courts found he was using an "illegal" copy of the software, whatever that means. Trialware versions of the Vigaurd antivirus product can be freely downloaded. http://www.viguard.com/en/download.php is the English language download page, I didn't look further. Yes, had he shown that he was using a bought & paid for copy, he would have been in a better position, legally. Meanwhile, the 5,000 euro suspended fine and Tegam's 900,000 euro civil case against Guillaume is blatantly vindictive and other security researchers in France seem to consider themselves on notice, per the CNet article. This is a bad ruling. It is damaging to the security community at large and to the French security community more specifically. It needs to be overturned or thrown out.

Reese

]]>
2005-03-23T16:23:31Z2005-03-23T16:23:31Ztag:www.schneier.com,2005:/blog//2.166-comment:2721Comment from Yves on 2005-03-23Yves
It's not really the case. Actually, Guillaume lost its case because he used a pirated version of the software to find vulnerabilities. From an lawyer point a view, this is not a trial against the full disclosure, and if he used a legitimate version of the software he wouldn't had lost...
More info (in French) on http://maitre.eolas.free.fr/journal/index.php?2005/03/08/87
Use google to translate. This guy is a lawyer and followed the case from the start. ]]>
2005-03-23T15:56:46Z2005-03-23T15:56:46Ztag:www.schneier.com,2005:/blog//2.166-comment:2720Comment from Israel Torres on 2005-03-23Israel Torres
Big surprise: It's France.